Windows IoT Security. Jackie Chang Sr. Program Manager

Similar documents
IoT Market: Three Classes of Devices

Building a Better Mousetrap:

WINDOWS 10 ENTERPRISE New Security Features

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

GSE/Belux Enterprise Systems Security Meeting

Building secure devices on the intelligent edge with Azure Sphere. Paul Foster, Microsoft Dr Hassan Harb, E.On

Pieter Wigleven Windows Technical Specialist

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

Technical Brief Distributed Trusted Computing

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

The Road to a Secure, Compliant Cloud

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Microsoft Security Management

Azure Sphere Transformation. Patrick Ward, Principal Solutions Specialist

Provisioning secure Identity for Microcontroller based IoT Devices

locuz.com SOC Services

Enterprise Ransomware Mitigations

Microsoft 365 powered device webinar series Microsoft 365 powered device Assessment Kit. Alan Maddison, Architect Amit Bhatia, Architect

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Connecting Securely to the Cloud

McAfee Public Cloud Server Security Suite

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Strong Security Elements for IoT Manufacturing

Layer Security White Paper

DICE: Foundational Trust for IoT

Trusted Execution Environments (TEE) and the Open Trust Protocol (OTrP) Hannes Tschofenig and Mingliang Pei 16 th July IETF 99 th, Prague

Windows 10 IoT Core Azure Connectivity and Security

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Security+ SY0-501 Study Guide Table of Contents

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

#techsummitch

benefits for customers with subscriptions in CSP

Windows 10 edition. Find out which. is right for you. Core features. Familar, and better than ever Home Pro Enterprise Education Mobile.

IoT Edge within the IoT Framework

A Developer's Guide to Security on Cortex-M based MCUs

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

RHM Presentation. Maas 360 Mobile device management


iotrust Security Solutions

MODERN DESKTOP SECURITY

PKI Credentialing Handbook

Microsoft 365 Business FAQs

Designing Security & Trust into Connected Devices

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Trustzone Security IP for IoT

CND Exam Blueprint v2.0

Best Practices in Securing a Multicloud World

How do you decide what s best for you?

Building firmware update: The devil is in the details

SECURITY & PRIVACY DOCUMENTATION

Redesigning PKI To Solve Revocation, Expiration, & Rotation Problems. Brian

Cyber Security For Business

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Cyber security mechanisms for connected vehicles

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

USING DEVICE LIFECYCLE MANAGEMENT TO FUTURE PROOF YOUR IOT DEPLOYMENT

Security: The Key to Affordable Unmanned Aircraft Systems

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Security Fundamentals for your Privileged Account Security Deployment

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Rethinking IoT Authentication & Authorization Models

SIERRAWARE SIERRATEE FOR MIPS OMNISHIELD

Digital Trust Ecosystem

Defense in Depth Security in the Enterprise

Partner Center: Secure application model

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Secure Product Design Lifecycle for Connected Vehicles

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Comodo Certificate Manager

Accelerate GDPR compliance with the Microsoft Cloud Ole Tom Seierstad National Security Officer Microsoft Norway

PKI is Alive and Well: The Symantec Managed PKI Service

Continuous protection to reduce risk and maintain production availability

Windows Server The operating system

Consultant since many years. Mainly working with defense and public sector. MCSE on Windows Server 2000 security ;-)

Beyond TrustZone Security Enclaves Reed Hinkel Senior Manager Embedded Security Market Develop

Developing Enterprise Cloud Solutions with Azure

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Security Readiness Assessment

Who s Protecting Your Keys? August 2018

Securing Windows Server 2016

Bromium: Virtualization-Based Security

Introduction to Device Trust Architecture

9 Years in Consulting. Broad experience in Microsoft Infrastructure solutions. Specialised in Windows 10 & Surface familly

Deploying Secure Boot: Key Creation and Management

Beyond TrustZone PSA Reed Hinkel Senior Manager Embedded Security Market Development

Project Cerberus Hardware Security

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

McAfee epolicy Orchestrator

Designing Security & Trust into Connected Devices

Transcription:

Windows IoT Security Jackie Chang Sr. Program Manager

Rest Physical access to a device will not give access to data Data & Control Execution Data owner has full control over data processing Motion Transport of data between endpoints/devices is secure Data & Control

IoT protection stack Device protection Threat resistance Data protection in-motion Cloud security Response Trusted Platform Module (TPM) Windows Device Health Attestation Secure Boot BitLocker Windows as a Service Device Guard Windows Firewall Windows Defender* X.509/TLS-Based Handshake and Encryption Encryption at Rest Azure Active Directory Key Vault Policy-Based Access Control IP- based blocking Secure Device Registration Device Management Device Recovery Device-specific repudiation Standards-based best practices *Only available on Windows IoT Enterprise

Hardware Software Device Data & Control Security Services

Hardware Root of Trust Supports strong device identities Defense in Depth Various levels of defense in depth including Device Guard, UWP Appx containerization, etc. Small Trusted Computing Base Utilize TrustZone for critical processing such as ftpm Dynamic Compartments Certificate-Based Authentication Failure Reporting Renewable Security UWP apps run in their own contexts; Windows is built in a compartmentalized way Certificate (key) protected code execution thru DeviceGuard Different level of failure reporting for HW, OS and apps are available via Watson through OEM portals Proven and scalable update infrastructure through Windows updated and Device Update Center. Microsoft Corporation The example is based on an i.mx6 processor running Windows IoT

Device Attestation Can I trust the device with my assets? Provisioning Who has access to my assets? Trusted Device Security Claim Attestation Service Proof of device health Device identity and health Provisioning Service I can trust the device with my assets I am in control of the device Policy Microsoft Corporation

Protect data where it is at rest, in motion and during execution by utilizing TEE, secure boot and others Establish trust through attestation and provisioning Protect Detect Device Health Attestation assess trusted and compliant state Azure Security Center cloud-powered, behavioral-based, breach detection Threat intelligence knowledge base Forensic investigation and mitigation capabilities Actionable Information Remediate Security bulletins and fixes Device Update Center scalable, device staging Device Management, scalable from low end devices to enterprise, cloud and on-prem

Build Secure Devices with Windows

Device Platform Security is built in to Windows Secure applications through UWP Health attention and provisioning Data protection at rest volume encryption and HW supported key storage (BitLocker, TPM) Secure execution: DeviceGuard, Secure Boot Threat mitigation Device update and management Turn-key security and manufacturing tools Service offerings Windows 10 IoT Core Services 10y LTSC support Device Health Attention Manage updates via DUC (Device Updated center) Azure Security Center Windows 10 Enterprise license Microsoft Corporation

Windows IoT security promise Windows IoT provides the best endpoint security to protect your data at rest, in motion and during execution. Windows IoT devices are built with security in mind. Security is not in the way of your development, deployment and operation.

IoT Security Offering Protect Detect Remediate Core HW & Platform Device Attestation Windows Defender ATP* Recovery and DM Malware resistance w/ SecureBoot Securing keys in the TPM Information protection for data at rest with BitLocker Execution control via DeviceGuard for IoT Security updates Security related data points validated by Remote Health Attestation Service Measured boot data, protected by the TPM, sent to service for verification Conditional Access to sensitive assets based on device health assessment Advanced Threat Protection with cloud-powered, behavioral-based, post-breach detection Anomaly detection, combined with Microsoft threat intelligence knowledge base Forensic investigation and mitigation capabilities Remediate the affected device via DM (e.g. flash the device) Device Update * Roadmap

olume encryption with TPM protected keys

Device Guard Secure Boot

Detection

Device Health Attestation Remote attestation based on hardware measured & attested data DHA Service Respond with Health report 5 Client Policies (AV, Firewall, State) The Device Health Attestation enables IT administrators to monitor the security posture of managed devices remotely Request Health Data Signature 1 2 Respond with signed Health Data blob 4 Verify Health data Device Management by using hardware (TPM) protected and attested data 3 via a tamper-resistant and tamperevident communication channel DHA enabled device Access please Here is my health attestation https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp

Low Integrity I/O Boot-ROM Creating attestable trust Can I trust that the device provides the right information HW and SW? Mutable Seed i.mx 6 SoC SPL CA OCRAM OPTEE CA CA Normal World UBoot CA UEFI CA Measured Boot & BitLocker Bootmgr/Winload/Ntoskrnl Low Integrity OS Root of trust is established by SoC manufacturer or OEM Each component will issue a certificate for the component it loads including measurements ECC keys are generated using the previous component key as seed ftpm IoT Edge Secure Runtime XYZ Agent TrustZone Kernel TrustZone User High Integrity I/O Device/ SPL OPTEE Component Certificate contains: - Measurement of the binary - Public key for this component - Chain up to previous cert UBoot ftpm UEFI SR XYZ OS Provide Certificate Chains to attestation Service Attestation Service

Advanced Threat Protection for IoT devices Early threat detection is critical for to mitigate impact on device operation WDATP is available for Windows 10 Enterprise and Server Advanced Threat Protection with cloud-powered, behavioral-based, post-breach detection Anomaly detection, combined with Microsoft threat intelligence knowledge base Forensic investigation and automated mitigation capabilities PC have broader attack surface due to open platform and user initiated entry points, email, social media These only apply limited to IoT solutions. Windows IoT Device lockdown, purpose build devices with limited well defined user interaction. Attack surface: Zero-day-exploits, communication protocol attacks, wrong configurations

Remediation

Windows Update Connected devices have challenge of new security threads - updates are an essential tool to address this Keeps device up to date with critical security software updates Utilize the Microsoft proven and scalable infrastructure Updates can be easily managed and controlled by device owners Easy management via Device Update Center

Introducing Windows 10 IoT Core Services Commercialize your project with enterprise-grade security and support Updates Security Support Take control of Windows updates with cloud-based IoT Core Device Update Center (DUC) Manage updates for OS, apps, settings, and OEM-specific files from the cloud Distributed over the same global CDN used by Windows Update Help ensure the safety of your network and devices with cloud-based Device Health Attestation (DHA) Backed by the same security research team and validation process used by 700M Windows 10 devices Leverage hardware and cloud services to provide tamper proofing and remote attestation of device health Count on stable systems with 10 years of LTSC (Long Term Servicing Channel) support with security updates only (no new features) Official Microsoft Lifecycle Support statement - links to software license agreement Access to monthly published Windows IoT Core packages for building fully patched images with OEM tools

Privacy: GDPR

Our commitment Windows 10 IoT platforms is GDPR complied Together with our partners, we are prepared to help you meet your policy, people, process, and technology goals to align with GDPR View Microsoft GDPR compliance at www.microsoft.com/gdpr

Security on Azure IoT Edge

Azure IoT Edge Device Security Promises What is the maximum protection you can expect if the device fell into the wrong custody? HSM Secure Element HSM Secure Enclave Azure IoT Edge Security Manager Azure IoT Edge Security Manager Azure IoT Edge Security Manager

Azure IoT Edge security with enclaves Public preview Enabling Open Enclave SDK for the intelligent edge and simplifying the development of trusted applications across operating systems and hardware platforms

Extensible Enclave Model Foundation TA PKI based ID & Auth Certs store Crypto Libraries TA Extensions Metering Trusted I/O HSM Secure Enclave Azure IoT Edge Security Manager Secure Logging Edge Module custom sensitive logic Etc.

Windows IoT Editions

Windows 10 IoT editions Windows 10 IoT Core Windows 10 IoT Enterprise Microsoft is releasing a new Windows 10 IoT Core Services offering with 10 years of support (LTSC) What s new? Brand new offering with Windows 10 IoT Core Services RS5 LTSC cumulative release since RS1 New value provided through Windows 10 IoT Core Services What s my purchase model? Subscription fee* Stable LTSC with RS2->RS5 features New sales opportunity and broader services attach motion Availability & support? 10 years of distribution and support fixes 10 years of distribution and support fixes

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback